Skip to main content

Posts

Showing posts from April 15, 2020

Palo Alto Firewall Management Hardening

So you got a fresh new firewall, out of the box. You are done with the basic configuration, placed it into your network, connected the management interface to the management network (Either you have a dedicated management switch / infrastructure which promises a true out of band connectivity or you create a "pseudo" separate network using management VLANs). Of course, it is already recommended to have a firewall protecting the management network, the since compromise on this network can directly lead to access to each of the devices, with catastrophic outcome. In spite of this, there are several management hardening steps that should be carried out to ensure that the firewall's management access is as secure as it can be. Disable telnet (TCP 21) and HTTP (TCP 80) Telnet and HTTP send data in clear text and all it takes is a carefully crafted SPAN / RSPAN session to forward a copy of the communication to a remote machine where the captured traffic (including clear text pas...